gpt-4o vs gpt-5-nano-medium KQL Benchmark
gpt-4o wins by 13.5%
Compared on 185 shared test questions
Overall Accuracy
gpt-4o
37.3%
69 / 185 correct
gpt-5-nano-medium
23.8%
44 / 185 correct
Average Cost per Query
gpt-4o: $0.0433
gpt-5-nano-medium: $0.0069
gpt-4o costs 523.5% more
Average Execution Time
gpt-4o: 14.30s
gpt-5-nano-medium: 65.07s
gpt-5-nano-medium takes 354.9% longer
Question-by-Question Analysis
Question-by-Question Comparison
Detailed comparison showing where each model succeeded or failed
Showing 1 to 25 of 185 questions
Page 1 of 8
| T1003 | On a Windows host, an attacker leveraged COMSVCS.DLL via rundll32.exe to dump the memory of svchost.exe into a file under the Temp directory. Review the file creation logs to determine the exact name of the dump file that was generated. | ✓ | ✗ | gpt-4o Wins |
| T1016.001 | On a Linux host, a ping command was executed to test internet connectivity. Determine which IP address was used as the ping target. | ✓ | ✗ | gpt-4o Wins |
| T1018 | A Windows host executed an ICMP-based network reconnaissance using a looping instruction in cmd.exe. Identify the exact command line that was used to perform the ping sweep. | ✓ | ✗ | gpt-4o Wins |
| T1021.006 | On Windows hosts, look through recent PowerShell execution records to find any elevated session where remote management was turned on. What exact command was run to enable PSRemoting? | ✓ | ✗ | gpt-4o Wins |
| T1036.004 | Analyze Windows process events for any schtasks.exe commands that created a new task invoking PowerShell. What is the name of the .ps1 script specified to run? | ✓ | ✗ | gpt-4o Wins |
| T1048.003 | A Linux host briefly hosted an HTTP service under /tmp. Examine process creation logs to determine the exact python3 command that was used to start the server on port 9090. | ✓ | ✗ | gpt-4o Wins |
| T1049 | A user launched a Windows command prompt and executed a built-in utility to enumerate all active network connections. Using process creation logs, identify the exact tool that produced the list of current connections. | ✓ | ✗ | gpt-4o Wins |
| T1053.003 | Linux hosts may log events when new files are added to /var/spool/cron/crontabs. Query those logs for a creation or write action in that directory and determine the file name that was added. | ✓ | ✗ | gpt-4o Wins |
| T1048.003 | Windows process creation logs show a PowerShell-driven file transfer to an FTP service. Which executable was leveraged to perform this exfiltration? | ✓ | ✗ | gpt-4o Wins |
| T1059.004 | Which full interactive shell command, as recorded in the Linux process logs, repeatedly echoed a distinctive marker message to the terminal? | ✓ | ✗ | gpt-4o Wins |
| T1059.004 | An attacker on a Linux host may try to enumerate installed shells by reading the system file that lists valid shells. Using process or syslog data, determine which command was executed to perform this enumeration. | ✓ | ✗ | gpt-4o Wins |
| T1059.004 | On a Linux system, find any process creation record where awk is used with a BEGIN rule to launch a shell. What was the exact command invoked? | ✓ | ✗ | gpt-4o Wins |
| T1059.004 | On a Linux system, review process execution records for any shell process that set an environment variable containing executable code and then piped it into another shell instance. Determine which environment variable name was used to store the script content. | ✓ | ✗ | gpt-4o Wins |
| T1070.003 | On a Windows endpoint, review process execution logs to see if any PowerShell sessions were wiped clean. Which command was executed to clear the PowerShell history? | ✓ | ✗ | gpt-4o Wins |
| T1059.004 | On a Linux host, identify the process invocation that altered a user’s login shell. What was the full command used? | ✓ | ✗ | gpt-4o Wins |
| T1069.001 | Investigate Windows process execution logs for a PowerShell cmdlet used to list group members. Look for entries where a group name is provided after a '-Name' flag and identify which group was queried. | ✓ | ✗ | gpt-4o Wins |
| T1070.003 | On a Windows device, there’s evidence that PowerShell history was wiped by deleting the history file. What was the exact command used to perform this action? | ✓ | ✗ | gpt-4o Wins |
| T1070.003 | On a Linux endpoint, you suspect malicious clearing of the bash history by redirecting from the null device. Explore process or file events to uncover the exact shell command that performed this action. | ✓ | ✗ | gpt-4o Wins |
| T1070.004 | Suspiciously, the recycle bin appears empty system-wide. Determine which command was executed on Windows to clear the system's recycle bin directory, including any switches and environment variables. | ✓ | ✗ | gpt-4o Wins |
| T1082 | While investigating process creation logs on a Linux device, you observe a privileged hardware interrogation step used to reveal virtualization details. Which utility was invoked? | ✓ | ✗ | gpt-4o Wins |
| T1070 | A suspicious actor appears to have removed the USN change journal on a Windows workstation. Investigate process start records to find out exactly which command was used to delete the journal. What was the full command line invoked? | ✓ | ✗ | gpt-4o Wins |
| T1112 | Evidence shows that the Windows Defender startup entry was tampered with via an elevated command prompt. Investigate registry events related to the Run key to discover which executable replaced the default SecurityHealth value. What is the name of the new program? | ✓ | ✗ | gpt-4o Wins |
| T1082 | A user‐space process on a Linux device invoked a shell to capture and display the system’s environment variables and path. Which exact command was used to perform this discovery? | ✓ | ✗ | gpt-4o Wins |
| T1082 | A Linux system shows a process in the execution logs that fetched the machine’s name. Review the DeviceProcessEvents table to find out which utility was called to perform this hostname lookup. | ✓ | ✗ | gpt-4o Wins |
| T1112 | On a Windows host, registry events reveal that PowerShell modified a value under the WDigest provider. Identify the exact command line that performed this registry change. | ✓ | ✗ | gpt-4o Wins |
Page 1 of 8
Explore individual model performance and detailed analysis